Is there a standard way to generate paseto tokens with human-readable payload without verification? #29
-
|
Hello, I'm using your paseto package https://www.npmjs.com/package/paseto to generate PASETO tokens and am trying to understand if there is a standard way to generate a PASETO token that yields human-readable payload without verification. The reason for this is, some oauth flows return a JWT "id_token" yielding user data, such as a display_name: link. Because JWT tokens are used in these flows, the data is readable without decryption or verification. If possible, I'd like to generate a PASETO id_token. Thank you for any response you may have. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
No OIDC Authorization Server will issue ID Tokens represented as PASETO because, well the specification defines it as a JWT. JWTs, like PASETOs can come in configuration that requires decryption before being decoded. In OpenID Connect's ID Tokens this is done by first signing, then encrypting (either symmetric or public-key) for the recipient. This is an affordance that needs to be supported by the authorization server. FWIW PASETO public is also "just" signed, and can be decoded to obtain its claims without any keying material. |
Beta Was this translation helpful? Give feedback.
-
|
@panva thank you |
Beta Was this translation helpful? Give feedback.
No OIDC Authorization Server will issue ID Tokens represented as PASETO because, well the specification defines it as a JWT.
JWTs, like PASETOs can come in configuration that requires decryption before being decoded. In OpenID Connect's ID Tokens this is done by first signing, then encrypting (either symmetric or public-key) for the recipient. This is an affordance that needs to be supported by the authorization server.
FWIW PASETO public is also "just" signed, and can be decoded to obtain its claims without any keying material.